Hi, I''ve debian running Shorewall, with two interfaces. I want sometimes to block access of one host from local network to internet. I''ve use command: shorewall drop 10.1.1.222 after this that host can''t make new connection, but existing connections are still active. How to brake theese active connections? Maybe I should use iptables directly? Regards Mirek ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Mirek Sobczak wrote:> Hi, > I''ve debian running Shorewall, with two interfaces. > I want sometimes to block access of one host from local network to internet. > I''ve use command: > shorewall drop 10.1.1.222 > > after this that host can''t make new connection, but existing connections > are still active. > > How to brake theese active connections? > Maybe I should use iptables directly?Use ''cutter''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Tom Eastep wrote:> Mirek Sobczak wrote: >> Hi, >> I''ve debian running Shorewall, with two interfaces. >> I want sometimes to block access of one host from local network to internet. >> I''ve use command: >> shorewall drop 10.1.1.222 >> >> after this that host can''t make new connection, but existing connections >> are still active. >> >> How to brake theese active connections? >> Maybe I should use iptables directly? > > Use ''cutter''.Or if you have small blacklists, you can also set BLACKLISTNEWONLY=No in shorewall.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
On Tue, Dec 11, 2007 at 11:06:36AM -0800, Tom Eastep wrote:> Tom Eastep wrote: > > Mirek Sobczak wrote: > >> Hi, > >> I''ve debian running Shorewall, with two interfaces. > >> I want sometimes to block access of one host from local network to internet. > >> I''ve use command: > >> shorewall drop 10.1.1.222 > >> > >> after this that host can''t make new connection, but existing connections > >> are still active. > >> > >> How to brake theese active connections? > >> Maybe I should use iptables directly? > > > > Use ''cutter''. > > Or if you have small blacklists, you can also set BLACKLISTNEWONLY=No in > shorewall.conf.Or insert a blocking route (ip route add prohibit 10.1.1.222). That one works even with large blacklists. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Użytkownik Andrew Suffield napisał:> On Tue, Dec 11, 2007 at 11:06:36AM -0800, Tom Eastep wrote: > >> Tom Eastep wrote: >> >>> Use 'cutter'. >> Or if you have small blacklists, you can also set BLACKLISTNEWONLY=No in >> shorewall.conf. > > Or insert a blocking route (ip route add prohibit 10.1.1.222). That > one works even with large blacklists. > > >Thank You for both fast answers. I've tried cutter. It seems that works. But I'll learn the other sollutions too. Kind regards Mirek Sobczak ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users